Colonial Pipeline reported a cyber-attack that resulted in a halting of their fuel pipeline operations to the East Coast per sources including this Bloomberg article originally posted on May 8, 2021. Just days before the U.S. National Security Agency (NSA) called for a review of operational technology (OT) security in U.S. critical infrastructure operations.
“President Joe Biden, who’s spending the weekend at Camp David, was briefed on the incident Saturday morning, the White House said,” per the Bloomberg article. “Hacking threats to critical infrastructure have been growing, prompting the White House to respond last month with a plan to try to increase the security of utilities and their suppliers. Pipelines are a specific concern because they play a central role in so many parts of the U.S. economy.”
“Colonial is a key artery for the eastern half of the U.S. It’s the main source of gasoline, diesel and jet fuel for the East Coast with its system from Houston as far as North Carolina, and New York.”
The largest in the U.S., Colonial Pipeline transports 2.5 million barrels or 100 million gallons per day of refined petroleum products or nearly half of the East Coast’s fuel supplies. Per Bloomberg, Colonial Pipeline reported its 5,500-mile pipeline operation was at a standstill.
Current Situation – What We Know
Confirmed in statement on the Colonial Pipeline website:
The Discovery: Colonial Pipeline learned they were the victim of a ransomware cyber-attack on May 7, 2021.
Impacted Systems: All pipeline operations were stopped by Colonial Pipeline to contain the threat. Some IT systems were also affected.
Remediation and Recovery Efforts: Colonial Pipeline is currently working with a third-party cybersecurity firm, reportedly FireEye, to investigate the attack and is taking steps to understand and resolve the issue.
As of Sunday night, in a news release on its website Colonial Pipeline stated "maintaining the pipeline’s operational security and getting systems back online were its highest priorities", but it did not provide a timetable for the return to service.“While our mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational,” the company in the release. “We are in the process of restoring service to other laterals and will bring our full system back online only when we believe it is safe to do so.”
Additionally, according to an article in TheHill.com Sunday evening, "The Federal Motor Carrier Safety Administration on Sunday issued a regional emergency declaration in 17 states and the District of Columbia in response to the shutdown of one of the largest pipelines in the U.S., which supplies around 45 percent of fuel consumed by the East Coast. The regional emergency declaration from the Department of Transportation lifts restrictions for motor carriers and drivers who are providing assistance to areas that are suffering a shortages of "gasoline, diesel, jet fuel, and other refined petroleum products" in the wake of the Colonial pipeline shutdown."
The Adversary: Reports indicate a professional cyber group is likely responsible, possibly “DarkSide,” known for targeted ransomware attacks.
Per a Washington Post story Monday morning, "DarkSide, the Eastern European-based criminal gang suspected of carrying out the attack, said in a notice that its motivation was purely financial. Cybersecurity researchers believe that DarkSide operates mostly out of Russia, which U.S. officials and cybersecurity experts have accused of harboring cyber criminals."
"Our goal is to make money and not creating problems for society,” the message said. “From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
The following Twitter post from DarkSide seems to confirms this story.
Interesting wording this half reads as an apology and also seems to be trying to pass some of blame to third party, they say will introduce moderation on companies our "Partners" want to encrypt since they are not a political motivated group as main, but what about the partners?— Nathan J Hunt (@ISNJH) May 10, 2021
Possible Impacts to the Fuel Supply
Colonial Pipeline connects 29 refineries and 267 distribution terminals. Their pipeline shutdown can cause reverberations throughout the market. Refineries can scale back production and prices at the pump may rise.
It’s an effect that’s happened in the past, – specifically in September 2017 when Hurricane Harvey caused substantial disruptions to crude oil and petroleum product supply chains – the result was increased petroleum product prices throughout the country. In fact, gas prices on the East Coast saw their highest peak in 9-years following Hurricane Harvey, which caused Colonial Pipeline to shut down operations at that time as well.
Reuters reports, “If the system is shut for four or five days, the market could see sporadic outages at fuel terminals that depend on the pipeline for deliveries.”
The investigation into the attack’s nature, scope, and impact is just beginning.
Reasons to Worry and Take Immediate Action
Last month, the NSA released a report highlighting the dire need to protect industrial control systems (ICS) and operational technology (OT) from cyber threats, stating: “Without direct action to harden OT networks and control systems against vulnerabilities introduced through IT and business network intrusions, OT system owners and operators will remain at indefensible levels of risk.”
In 2020, another unnamed pipeline operator also fell victim to ransomware, shutting its operations down for two days. That attack started on the IT side of the network and pivoted to the OT side to “eventually infiltrate the control and communication assets” — one of two “particularly dangerous threat vectors for remote cyber-attacks against OT” highlighted by the NSA.
More importantly, the NSA guidance stresses owners and operators act today to protect critical operations. “While OT systems rarely require outside connectivity to properly function, they are frequently connected for convenience without proper consideration of the true risk and potential adverse business and mission consequences. Taking action now can help improve cybersecurity and ensure mission readiness.”
Protecting OT Operations
As IT and OT have increasingly been mingled, a true air gap that once protected many OT networks has disappeared in all but the most locked-down of facilities.
In an article on the Zero Day website by Kim Zetter, "Colonial’s operational network uses automation systems to control and monitor the flow of fuel from refineries and tank farms into Colonial’s pipeline, and from Colonial’s pipeline into the tanks and transportation facilities belonging to suppliers and distributors. Colonial’s corporate IT network and the process control network are connected and exchange information about how much fuel each supplier or distributor receives in order to bill them for it, says a source who works for a large midstream oil company that feeds fuel into Colonial’s pipeline."
This story clearly illustrates how the IT and OT systems are becoming more interconnected to improve business processes. The result is greater risk to the OT network and associated physical operations requiring the implementation of cyber security best practices throughout the OT environment. To aid organizations in protecting against these attacks, we recommend the following as a starting point:
1. Implement Zero-Trust OT Network Segmentation
Zero-trust network segmentation is an ICS cyber security best practice. It helps stop unbridled access in IT environments and should be widely deployed in OT and ICS networks to do the same. Industrial operations already segment the ICS/OT network from the corporate IT network. But for many, that is where their protection stops.
2. Restrict Unauthorized User and Vendor Access
ICS/OT network operators must implement strict secure remote access policies to prevent unauthorized user access, control third party vendor access only as needed, and log all network access and actions.
3. Develop Incident Response Capabilities
No security program has perfect protection, so it’s critical to develop and test incident response capabilities and procedures to immediately investigate suspicious activity, respond to confirmed threats, and recover from security incidents.
Revisit this Blog Post for updates in the coming days.
Updated Monday 5/10, 10:00a.m. CDT: Added details on remediation efforts from Colonial Pipeline news release and comments from the adversary, DarkSide, from a Washington Post story and Twitter posting.
Updated Monday 5/10, 11:10a.m. CDT: Added information on the interconnected nature of the Colonial Pipeline IT and OT systems as reported in the Zero Day website. And included an update on the regional emergency declaration by the U.S. Department of Transportation.